# Shodan Dork Cheatsheet

### General Search Queries

* `city:”[city name]”`: Devices in a specific city.
* `country:”[country code]”`: Devices in a specified country.
* `geo:”[latitude],[longitude]”`: Geographic location-specific devices.
* `hostname:”[hostname]”`: Devices with a particular hostname.
* `net:”[IP range]”`: Devices within a certain IP range.
* `os:”[operating system]”`: Devices running a specific OS.
* `port:”[port number]”`: Devices open on a specific port.
* `org:”[organization name]”`: Devices related to a certain organization.
* `isp:”[ISP name]”`: Devices using a specific ISP.
* `product:”[product name]”`: Devices with a specific software/hardware.
* `version:”[version number]”`: Devices on a particular software version.
* `has_screenshot:”true”`: Devices with available screenshots.
* `ssl.cert.subject.cn:”[common name]”`: SSL certificates with a specific CN.
* `http.title:”[title text]”`: Web pages with a certain title.
* `http.html:”[HTML content]”`: Web pages containing specific HTML.
* `http.status_code:[code]`: Devices returning a specific HTTP status code.
* `ssl:”[SSL keyword]”`: Devices with specific SSL configurations/details.
* `before:”[date]” / after:”[date]”`: Devices online before/after a date.
* `bitcoin.ip:”[IP address]”`: Bitcoin nodes by IP.
* `ssh.fingerprint:”[fingerprint]”`: SSH servers with a specific fingerprint.

### Applications and Services

* `product:”[product name]”`: Devices running a specific product.
* `version:”[version]”`: Devices with a specific version number.
* `webcam`: Searches for internet-connected webcams.
* `“default password”`: Devices using default passwords.
* `“server: Apache”`: Finds Apache web servers.
* `ftp`: Devices with FTP services.
* `“X-Powered-By: PHP/[version]”`: PHP version-specific servers.
* `iis:[version number]`: Servers running Microsoft IIS.
* `“Server: nginx”`: Devices running Nginx server.
* `“MongoDB Server Information” port:27017`: MongoDB databases on default port.
* `“CCTV”`: Internet-connected CCTV cameras.
* `“PBX VoIP”`: VoIP PBX systems.
* `“Elasticsearch”`: Elasticsearch servers.
* `“OpenSSL”`: Devices using OpenSSL.
* `“SCADA”`: SCADA systems.
* `“VoIP Phone”`: Internet-connected VoIP phones.

### Device and Service Identification

* `asn:”[ASN]”`: Devices associated with a specific ASN.
* `http.favicon.hash:[hash]`: Web servers with a specific favicon hash.
* `ntp.ip:”[IP address]”`: NTP servers related to a specific IP.
* `ssl.cert.issuer.cn:”[issuer CN]”`: SSL certificates issued by a specific issuer.
* `http.component:”[component]”`: Web applications using specific components.
* `http.robotstxt:”[content]”`: Web servers with specific robots.txt content.
* `http.waf:”[WAF name]”`: Identification of web application firewalls.
* `http.xssed:”[keyword]”`: Web pages marked in XSSed database.
* `http.cookie:”[cookie name]”`: Web servers setting a specific cookie.
* `http.useragent:”[user agent]”`: Devices with a specific user agent.

### Network and Infrastructure Analysis

* `not ssl`: Devices not using SSL.
* `metadata:”[keyword]”`: Searches for devices with specific metadata.
* `http.html_hash:[hash]`: Identifies web pages with a specific HTML hash.
* `netblock:”[owner]”`: Devices within a netblock owned by a specific entity.
* `asn:”[ASN]”`: Devices associated with a specific ASN.
* `http.server_header:”[header content]”`: Devices with specific server header responses.
* `udp`: Devices with open UDP ports.
* `telnet`: Devices accessible via Telnet.

### IoT and Connected Devices

* `“smart tv”`: Searches for internet-connected smart TVs.
* `“printer” “default password”`: Printers possibly using default passwords.
* `“Raspberry Pi” port:22`: Raspberry Pi devices with SSH enabled.
* `“thermostat” “wifi”`: Wi-Fi-enabled thermostats.
* `“smart home”`: Various smart home devices.
* `“IP camera” “default login”`: IP cameras with default login credentials.
* `“smart meter”`: Internet-connected smart meters.
* `“home automation”`: Home automation systems.
* `“wearable”`: Wearable technology devices.

### Security and Vulnerability Research

* `ssl.cert.serial:”[serial number]”`: SSL certificates by serial number.
* `“Server: Microsoft-HTTPAPI/2.0”`: Devices running specific Microsoft HTTP services.
* `“Cisco IOS” “http auth”`: Cisco IOS devices with HTTP authentication.
* `“default login” “router”`: Routers with default login credentials.
* `“Hadoop NameNode”`: Hadoop NameNode servers.
* `“Apache Struts” vuln`: Apache Struts vulnerabilities.
* `“Tomcat” admin`: Tomcat servers with admin panels.
* `“Docker” port:2375`: Docker instances on default port.
* `vuln:”[CVE-ID]”`: Searches for vulnerabilities with a specific CVE ID.
* `“200 OK” ssl`: Servers with SSL certificates returning 200 OK.
* `“Server: Apache” -“mod_ssl” -“OpenSSL”`: Apache servers potentially without SSL encryption.
* `ssl.cert.expired:”true”`: Devices with expired SSL certificates.
* `“heartbleed” vuln`: Searches for vulnerabilities related to Heartbleed.
* `http.component:”Drupal” vuln:”CVE-2018-7600″`: Drupal sites vulnerable to a specific CVE.
* `“Authentication: disabled”`: Devices with authentication disabled.
* `http.title:”Index of /”`: Directories with potentially open indexes.
* `ssl:”TLSv1″`: Searches for devices using the older TLSv1 protocol.
* `org:”[organization]” vuln:”[CVE-ID]”`: Searches for vulnerabilities within a specific organization.
* `“EternalBlue” vuln`: Devices vulnerable to EternalBlue.
* `“Joomla” vuln`: Joomla sites with specific vulnerabilities.
* `“WordPress” vuln`: WordPress sites with specific vulnerabilities.
* `“SQL Injection” vuln`: Devices vulnerable to SQL Injection.
* `“DDoS” vuln`: Devices potentially vulnerable to DDoS attacks.

### Geographic and Demographic Analysis

* `city:”[city]” os:”[OS]”`: Devices with a specific OS in a city.
* `country:”[country]” product:”[product]”`: Specific devices in a country.
* `region:”[region]”`: Devices in a specific region.
* `postal:”[postal code]”`: Devices in a specific postal code.
* `latitude:”[latitude]” longitude:”[longitude]”`: Devices at specific coordinates.
* `area:”[area code]”`: Devices in a specific area code.

### Combined Queries

* `os:”Linux” port:”22″ “SSH” country:”JP”`: Linux devices with SSH in Japan.
* `product:”Apache” version:”2.4.7″ -“200 OK”`: Apache servers not returning 200 OK.
* `city:”New York” os:”Windows” port:”3389″`: Windows devices with RDP in New York.
* `net:”192.168.1.0/24″ webcam`: Webcams in the 192.168.1.0/24 IP range.
* `org:”Google” ssl cert:”expired”`: Expired SSL certificates in Google's infrastructure.
* `country:”DE” product:”MySQL” version:”5.5″ “default password”`: MySQL databases in Germany.
* `“HTTP/1.1 401 Unauthorized” city:”London” port:”80″`: Unauthorized HTTP responses in London.
* `“Server: Apache” -“Apache-Coyote” country:”BR”`: Apache servers in Brazil.
* `hostname:”*.edu” vuln:”CVE-2019-11510″`: Educational institutions vulnerable to CVE-2019-11510.
* `“IIS/8.0” -“X-Powered-By” net:”205.251.192.0/18″`: IIS 8.0 servers in the specified range.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://martian1337.gitbook.io/notes/notes/security-research/shodan-dork-cheatsheet.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.